netwire | e7df88b691f820535f249821d16054a01f33e0acf3ae12d0b64f98cced910012 | Triage

Submit
Reports

Overview

overview

Static

static

Tax Invoice.xlsm

windows7-x64

Tax Invoice.xlsm

windows10-2004-x64

Sharing

General

Target

Tax Invoice.xlsm
Size

42KB
Sample

221117-mclsbaeb56
MD5

241d9fbb42762beb00492d32d5e9d291
SHA1

e6f1f8bbc40a59911543be499e1e07b54d55c3f4
SHA256

e7df88b691f820535f249821d16054a01f33e0acf3ae12d0b64f98cced910012
SHA512

a503b4e51bb09fa2e5c1b2a546cbf0c562200e77e67f2f81757f0b6f5460cc38e33d0ea871b7f7c1d92ed82ac3ca756a37e08a5e633077a560c9627516ea9aef
SSDEEP

768:IvjsCvCssn3uBIJYfTH+niSpKvDH7Nv+nWhFFiKk/f7qtNhTxRB+nE2g7/:IvDvCT3uG1ByT7Nv+qFFi3/jqLxxyE2g

Score

10^/10

netwire botnet rat stealer

Static task

static1

Behavioral task

behavioral1

Sample

Tax Invoice.xlsm

Resource

win7-20221111-en

netwire botnet rat stealer

windows7-x64

18 signatures

150 seconds

Behavioral task

behavioral2

Sample

Tax Invoice.xlsm

Resource

win10v2004-20221111-en

netwire botnet rat stealer

windows10-2004-x64

16 signatures

150 seconds

Malware Config

Extracted

Family

netwire

C2

212.193.30.230:3345

Attributes

activex_autorun
false
copy_executable
false
delete_original
false
host_id
HostId-%Rand%
keylogger_dir
%AppData%\Logs\
lock_executable
false
offline_keylogger
true
password
Password@9
registry_autorun
false
use_mutex
false

Targets

- Target
  
  Tax Invoice.xlsm
- Size
  
  42KB
- MD5
  
  241d9fbb42762beb00492d32d5e9d291
- SHA1
  
  e6f1f8bbc40a59911543be499e1e07b54d55c3f4
- SHA256
  
  e7df88b691f820535f249821d16054a01f33e0acf3ae12d0b64f98cced910012
- SHA512
  
  a503b4e51bb09fa2e5c1b2a546cbf0c562200e77e67f2f81757f0b6f5460cc38e33d0ea871b7f7c1d92ed82ac3ca756a37e08a5e633077a560c9627516ea9aef
- SSDEEP
  
  768:IvjsCvCssn3uBIJYfTH+niSpKvDH7Nv+nWhFFiKk/f7qtNhTxRB+nE2g7/:IvDvCT3uG1ByT7Nv+qFFi3/jqLxxyE2g
Score

10^/10

netwire botnet rat stealer
- NetWire RAT payload
  rat
- Netwire
  Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
  botnet stealer netwire
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- Downloads MZ/PE file
- Executes dropped EXE
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Remote System Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

netwirebotnetratstealer

behavioral2

netwirebotnetratstealer

© 2018-2024

Terms | Privacy